On December 27, the Indian Railways network had a data breach that resulted in the exposure of the personal information of more than 30 million customers.
It was revealed that a person on a hacker site was selling 30 million user details from the Indian Railway system. This user, who used the pseudonym “shadowhacker,” has left behind no traces that may lead to the identification of that person.
Over the course of the last several years, Indian Railways has been the victim of a number of data breaches. In October of 2019, an instance of an unsecured database was left open to the public.
Because to this security breach, almost 2 million data were compromised, including 583,000 individual email addresses, usernames, and passwords stored in plain text. In January of 2020, it was disclosed to the general public that this security compromise had occurred.
A vulnerability on the website of RailYatri, which is a government-sanctioned portal for buying and selling railway tickets and which serves nearly 240 million users on a daily basis, was exploited by a bot attack, according to the findings of a cybersecurity firm called Safety Detectives, which published their findings in August 2020.
According to the hacker, the data contains a variety of personal characteristics such as the victim’s name, email address, phone number, and gender, in addition to other information. The user further said that the data has different email addresses for various government departments and agencies.
More than 25 million phone numbers, along with other personally identifying information, have been assured to be compromised by the threat actor (PII).
The actor also provides a second endpoint that discloses “full user history of trip information.” This information includes “a lot of data,” such as the PNR number, an invoice pdf that contains PIIs such as passenger name and cellphone number, and travel details such as train number and arrival time.
Along with the data, the hacker is also offering, for a payment, specific information on website vulnerabilities that “we utilised.” The actor did not specify if the website in question is a booking page for IRCTC or the official portal for Indian Railways.
Researchers in the field of information security have not been able to verify either the genuineness of the data or the method by which it was obtained. The Indian Railways has not yet issued a statement on this violation.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.